Hello web3 users, friendly remainder that all you see in your computer is an interactive video directed by whatever combination of software and malware you have. This includes dApps, browser extensions, os modules, … you know same old web2. #devcon #devconnect

Respect for Juani for giving a great talk at DSS Talking about lessons learned after an incident is hard, especially in front of an audience

The future of DeFi defenses is active offensive security. Big protocols should adopt these measures ASAP. Peter from Blockchain Threat Intelligence knows this. Awesome presentation at DSS. Bitfinding keeps collecting shot-outs at #devcon.

Are we whitehats or are we humans?

Rumor is that the Argentines want to organize an asado at every Devcon/Devconnect

Kaan Can we just issue a ZK proof of correct compilation?

How much for a stable Chrome full-chain (RCE + sandbox escape + local privilege escalation)? Basically: a payload that, if served to your browser, can lurk, persist, and eventually read your browser-extension wallet keys. 20Mill? How much could it drain in a few hours?

Dankrad Feist I've summarized it here docs.sourcify.dev/blog/human-rea… The biggest blocker is a widely accepted cross-wallet spec and registry of contract functions to human readable intent mappings. The most advanced one is ERC7730 from Ledger actually but it needs to be under a neutral entity and

Anyone who finds meaningful issues in v4 will gain the respect of many people, including myself If you want your work to be impactful, this is the contest to join

BitFinding In DSS shared an interesting idea (youtu.be/0S-Au1VEFfM?si…) to create a market for incident response competitive analysis, and even if there are open issues like spam during crisis events, it is a compelling direction to explore

Blind signing - we are solving it and we need you help A few people raised the problem of blind signing (again) - a couple of months ago I decided to dive deeper into it and try to solve it - collaborating with some great people. Here’s my take: 1. Clear signing != Simulation.

It does not leak!!!

TIL: Do not turn on an internal combustion engine if you don’t have a plan for how to turn it off. (I should have learned that from the Pink Panther youtu.be/16YG9qZQIJE?t=…)

What a Devcon for us. Only during the Defi Security Summit , we had 4 shoutouts including the closing panel We hope to inspire more teams to participate in whitehats and that protocols realize there's a real last line of defense for them. Thank you , Juani, Tiago Assumpcao

Another W for web3 security! Rheo (prev. Size Credit) just adopted SEAL's Whitehat Safe Harbor, adding legal protection for whitehats who step up to rescue funds during active attacks this is how we build trust & make web3 safer for everyone frameworks.securityalliance.org/safe-harbor/ov…

Ahhhh la botellita…

For anyone interesting in learning zk proofs, I built a web app that lets you "debug" STARKs end-to-end. You can write simple programs, generate/verify STARKs, and explore the execution traces and constraint polynomials. Link in 1st response.

New on Learn EVM Attacks: 4 new real DeFi exploits reproduced with write-ups, runnable Solidity PoCs, and more: • Futureswap fee bug • 1inch calldata corruption • Bunni rounding drift • LyraDepositWrapper validation flaw Explore, run the code, learn to defend. 🔎👇

Preparing for my company’s Paper Friday: "A History of Greed: Practical Symbolic Execution for Ethereum Smart Contracts" sites.cs.ucsb.edu/~vigna/publica… Not 100% you need an external tool to give you a CFG that you can build while SE. :shrug:

🚨Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with $1.78M loss cbETH asset's price was set to $1.12 instead of ~$2,200. The PRs of the project show commits were co-authored by Claude - Is this the first hack of vibe-coded Solidity code?